Presentation is loading. Please wait.

Presentation is loading. Please wait.

Shibboleth Architecture

Similar presentations


Presentation on theme: "Shibboleth Architecture"— Presentation transcript:

1 Shibboleth Architecture
Technical Information Session for Developers Datta Mahabalagiri April

2 Identity Provider (IdP)
The “server” side of Shibboleth HS: SSO/Authentication AA: Attributes One instance per campus

3 Service Provider (SP) The “consumer” side of Shibboleth
Apache Module or IIS ISAPI filter plus daemon Handles all interactions with IdP ACS AR Attributes in HTTP header Provided by Internet2

4 Federation Federation WAYF

5

6 Application / Resource
Architecture WAYF 2 3 4 5 6 1 Identity Provider Service Provider 7 Credentials SSO (ISIS) HS ACS 8 Handle User DB Handle Application / Resource 9 Handle AA Attributes AR Attribute Repository Attributes 10 © SWITCH

7 Identity Provider at UCLA
4 OK, I redirect your request now to the Handle Service of UCLA. 3 2 Please tell me where are you from? 1 ACS I don’t know you. Not even which home org you are from. Redirect your request to the WAYF WAYF HS 5 6 I don’t know you. Please authenticate Using ISIS Identity Provider at UCLA Service Provider 7 User DB Credentials OK, I know you now. Redirect your request to the SP, together with a handle Attributes 10 Manager Resoure OK, based on the attributes, I grant access to the resource AR Handle 8 I don’t know the attributes of this user. Let’s ask the Attribute Authority Handle 9 AA Let’s pass over the attributes the user has allowed me to release Resource

8 Access Control Read Http header
request.getAttribute(“eduPersonPrincipalName”) request.getAttribute(“Affiliation”) If (affiliation == student) allow Read access Else If (affiliation == faculty) allow Edit access

9 Bilateral vs Federated
Establish trust & Exchange metadata with IdP directly Likely a simpler deployment model for UCLA-only applications User base limited to UCLA Can always move to a federated deployment mode

10 Bilateral vs Federated
Register with a 3rd party hosting a Federation Interoperability & trust Common standards, Comply with federation requirements Security and Audit requirements Coordinated helpdesk support Expanded User base When to choose Federated deployment?


Download ppt "Shibboleth Architecture"

Similar presentations


Ads by Google